Google declares war on Android fleeceware scamming users through sneaky subscriptions

Google declares war on Android fleeceware scamming users through sneaky subscriptions

The Google Play Store has announced new policies that aim to kick out “free trial” Android apps that use underhand techniques to trick unsuspecting users into signing-up for expensive subscriptions.

As we described in the latest “Smashing Security” podcast with special guest Garry Kasparov, smartphone app stores have been infested with apps that charge users excessive amounts of money if they do not cancel their “subscription” before the end of a short “free trial.”

Smashing Security #174: 'Garry Kasparov and Animal Crossing'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

It turns out that it’s all too easy for people to be duped into starting free trials of an app, not realising they will be automatically converted into a paid subcription.

Sign up to our free newsletter.
Security news, advice, and tips.

Such apps are often labelled as free, but just about every feature has to be paid for… so if you want to actually experience the app you need to make an in-app purchase or sign-up for a subscription. However, if the apps cannot perform their most basic core function without requiring a user to sign up for a subscription – how can that be considered free?

In some examples, subscriptions could end up costing users hundreds or even thousands of dollars per year.

Fortunemirror app
This daily horoscope app charges users $69.99 a week, which adds up to $3,639.48‬ per year. Source: Sophos

In an update posted yesterday, Google announced new rules for Android app developers wishing to have their app distributed in the Google Play store:

You, as a developer, must not mislead users about any subscription services or content you offer within your app. It is critical to communicate clearly in any in-app promotions or splash screens.

In your app: You must be transparent about your offer. This includes being explicit about your offer terms, the cost of your subscription, the frequency of your billing cycle, and whether a subscription is required to use the app. Users should not have to perform any additional action to review the information.

Google lists some examples of the common violations they have seen in apps related to free trial offers and subscriptions:

  • Monthly subscriptions that do not inform users they will be automatically renewed and charged every month.
  • Annual subscriptions that most prominently display their pricing in terms of monthly cost.
  • Subscription pricing and terms that are incompletely localized.
  • In-app promotions that do not clearly demonstrate that a user can access content without a subscription (when available).
  • SKU names that do not accurately convey the nature of the subscription, such as “Free Trial” for a subscription with an auto-recurring charge.
  • Offers that do not clearly explain how long the free trial or introductory pricing will last.
  • Offers that do not clearly explain that the user will be automatically enrolled in a paid subscription at the end of the offer period.
  • Offers that do not clearly demonstrate that a user can access content without a trial (when available).
  • Offer pricing and terms that are incompletely localized.

To illustrate some of the methods used by fleeceware, Google shared images of an example app breaking store policies related to subscriptions and free trial offers.

Example offending apps

Google says that any new apps or app updates published on Google Play from now on must abide by the rules, and that existing apps have until mid-June to come into compliance.

Apple’s guidelines already require developers to make sure their “app description, screenshots, and previews clearly indicate whether any featured items, levels, subscriptions, etc. require additional purchases,” but in my investigations there are still plenty of sketchy apps (many of which are related to astrology or celebrity lookalikes) that continue to behave in what appears to be an underhand manner.

I installed one such celebrity lookalike app on my iPhone, and when i hit search it instantly demanded I signed up for a £7.99 weekly “Diamond Membership” subscription, whilst tantalisingly scrolling pictures of George Clooney (I should be so lucky…) and other potential lookalikes up and down my screen.

Another celebrity lookalike app for iOS informed me that my wife was a “99% doppelganger” match with someone famous. The famous celebrity’s image was tantalisingly obscured through pixelisation, but could be unlocked if I agreed to sign up for what would turn out to be an expensive weekly subscription.

Sophos researcher Jagadeesh Chandraiah, who did the initial research into Android fleeceware and more recently has studied fleeceware in the iOS App Store, welcomed the news of Google’s change in policy, and tweeted that he hoped Apple would follow suit with tougher regulations.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.